Process isolation using protection domains

US 7,882,317 B2
Filed: 08/04/2006
Issued: 02/01/2011
Est. Priority Date: 12/06/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of isolating a plurality of operating system processes on a particular processor, the method comprising:

using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes;

grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and

using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.

129 Citations

20 Claims

1. A computer-implemented method of isolating a plurality of operating system processes on a particular processor, the method comprising:
- using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes;
  
  grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and
  
  using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, the hardware protection comprising assigning one of the protection domains a more-privileged processor privilege level than is assigned to other protection domains that include one or more of other processes of the plurality of operating system processes, wherein a processor executing the plurality of operating system processes prevents the one or more of the other processes from accessing memory assigned to the one of the at least two operating system processes in the protection domain, and further prevents the one or more of the other processes from accessing virtual memory features of the processor.
  - 3. A method as recited in claim 1, the hardware protection of the processor comprising using virtual memory to isolate one or more address spaces of the protection domains from address spaces of other protection domains.
  - 4. A method as recited in claim 1, wherein an operating system that controls execution of the plurality of operating system processes can terminate execution of each of the plurality of operating system processes individually.
  - 5. A method as recited in claim 1, further comprising accessing a set of rules specifying which protection domains should include which operating system processes in order to identify the processes to be grouped into the protection domains.
  - 6. A method as recited in claim 1, the using hardware protection of the processor comprising:
    - identifying a first protection domain as a kernel domain;
      
      identifying a second protection domain as the kernel domain; and
      
      identifying a third protection domain as not the kernel domain.
  - 7. A method as recited in claim 1, wherein one of the protection domains is a kernel domain, and wherein each of the plurality of operating system processes is a software isolated process (SIP) having software protection.
  - 8. A method as recited in claim 1, further comprising using the hardware protection to prevent an additional process from accessing memory assigned to the plurality of operating system processes on the processor without using the software protection to prevent the additional process from accessing memory assigned to the plurality of operating system processes.
  - 9. A method as recited in claim 1, the software protection comprising allowing the at least two operating system processes to exchange data through an area of memory belonging to neither of the at least two operating system processes and allowing only one of the at least two operating system processes to reference a data structure corresponding to a message at a time.

10. One or more computer readable media having stored thereon a plurality of instructions that, when executed by a particular processor, causes the processor to:
- use software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes;
  
  group the plurality of operating system processes into a plurality of protection domains, one of the at least two operating system processes being grouped into a first protection domain and the other of the at least two operating system processes being grouped into a second protection domain; and
  
  use hardware protection to prevent the one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the first protection domain, the hardware protection operating as backup protection to the software protection,wherein the hardware protection includes a page table associated with the first protection domain that identifies memory pages that are accessible by the operating system processes of the first protection domain.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. One or more computer readable media as recited in claim 10, wherein the software protection includes preventing null pointers, references outside an array'"'"'s bounds, and references to deallocated memory.
  - 12. One or more computer readable media as recited in claim 10, the hardware protection comprising assigning the first protection domain a more-privileged processor privilege level than the second protection domain, wherein a processor prevents operating system processes of the second protection domain from accessing the memory space of operating system processes of the first protection domain and further prevents the operating system processes of the second protection domain from accessing virtual memory features of the processor.
  - 13. One or more computer readable media as recited in claim 10, the hardware protection comprising identifying the first protection domain and the second protection domain as kernel domains, identifying a third protection domain to which is assigned a third plurality of operating system processes, and identifying the third protection domain as not a kernel domain.
  - 14. One or more computer readable media as recited in claim 10, the hardware protection comprising using virtual memory to isolate a virtual address space of the first protection domain from a virtual address space of the second protection domain.
  - 15. One or more computer readable media as recited in claim 10, wherein which operating system processes are to be assigned to the first protection domain and which operating system processes are to be assigned to the second protection domain changes over time.
  - 16. One or more computer readable media as recited in claim 10, wherein the page table is loaded when an operating system process of the first protection domain is executed.

17. A computing device comprising:
- a processor; and
  
  a memory, coupled to the processor, the memory storing a plurality of instructions that, when executed by the processor, cause the processor to isolate a plurality of operating system processes on the processor from each other by;
  
  using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes, the software protection further including preventing null pointers, references outside an array'"'"'s bounds, or references to deallocated memory;
  
  grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and
  
  using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection,wherein the hardware protection includes a page table associated with the protection domain having the one of the at least two processes, that protection domain identifying memory pages that are accessible by the operating system processes of that protection domain.
- View Dependent Claims (18, 19, 20)
- - 18. A computing device as recited in claim 17, the hardware protection comprising assigning a first protection domain a more-privileged processor privilege level than is assigned to one or more other protection domains, wherein a processor prevents one or more other processes of the other protection domains from accessing memory spaces of one or more processes in the first protection domain and further prevents the one or more other processes from accessing virtual memory features of the processor.
  - 19. A computing device as recited in claim 17, the hardware protection comprising using virtual memory to isolate a virtual address space of a first protection domain from one or more virtual address spaces of other protection domains.
  - 20. A computing device as recited in claim 19, the hardware protection further comprising using processor privilege levels to prevent other processes of the plurality of operating system processes from circumventing the virtual memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hawblitzel, Chris K., Aiken, Mark, Hunt, Galen C., Fahndrich, Manuel A., Larus, James R.
Primary Examiner(s)
Bragdon; Reginald G
Assistant Examiner(s)
Ruiz; Aracelis

Application Number

US11/462,556
Publication Number

US 20080141266A1
Time in Patent Office

1,642 Days
Field of Search

711/152
US Class Current

711/163
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 12/109   for multiple virtual addres...

G06F 12/1491   in a hierarchical protectio...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 2212/1016   Performance improvement

G06F 2212/1052   Security improvement

G06F 2212/651   Multi-level translation tables

G06F 2212/657   Virtual address space manag...

G06F 9/544   Buffers; Shared memory; Pipes

Process isolation using protection domains

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Process isolation using protection domains

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links